Study Show Link Between IT Sabotage, Work Behavior

narramissic writes "According to recent research by the U.S. military and CERT, workers who sabotage corporate systems are almost always IT workers who are disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly."

An ounce of prevention

[suso]

Interesting article. Unfortunately since most companies never wise up about security, its probably in the companies best interest to recognize the needs of IT workers instead of being even more paranoid about them. I used to work as a system administrator at a company where most of us where disgruntled due to the lack of progress of the company and poor leadership, then things got worse when the new owner of the company stopped trusting the admins for no good reason. This created a situation where long time employees started taking the attitude of "This company wouldn't survive for a month without me here". Amazingly, companies like this do survive the departure of their best employees.

Re:An ounce of prevention

[qzulla]

Survive or become successful? A major difference.

qz

Re:An ounce of prevention

Who cares if they are disgruntled... I got a new company BMW 7 series for my 1st quarter bonus~ Does your company give out a "sociopathic manager of the year" award, too?

Don't worry. I guarantee you'll regret being such an jerk to people when you're passing middle age and you've got mountains of "stuff" to your name but not a real friend in the world.

Re:An ounce of prevention

[bladesjester]

The following exerpt from the article is pretty telling:
Macleod concluded: "So as far as doing the right thing, I'd suggest that you start from the basis that your IT staff are the biggest risk to your organization's security, and if anyone of them disputes this, remember that arguing with colleagues was one of the clear signs of an impending attack."

Basically, if management accuses IT of being a huge risk, and their IT staff is actually honest and dependable, should they stand up for themselves, that's a sign that you should trust them even less??

Give me a freaking break.

Re:An ounce of prevention

[tacocat]

This is bunk.

How many disgruntled Automotive Industries went on a shooting spree and NEVER gave any signs? Most. Same for the classic Postal Workers...

And what about the guy in Office Space?

Re:An ounce of prevention

[khallow]

Don't worry. I guarantee you'll regret being such an jerk to people when you're passing middle age and you've got mountains of "stuff" to your name but not a real friend in the world.

That's not the choice. People of this makeup chose between having lots of stuff and no friend versus having few things and no friends. Maybe they'll wise up enough to regret being a jerk, but it's not a given IMHO.

Re:An ounce of prevention

[db32]

Uhm...most people do give warning signs, the fact that they are ignored doesn't mean they weren't there. Of coarse everyone interviewed says "Well he seemed nice and stable, we had no idea" That is likely because they didn't talk to that person more than the bare minimum required to get the job done. As aweful of a concept as it seems to be these days, its called getting involved with your people. It IS the supervisors responsibility to know more about his subordinates than just job performance, its called leadership, as opposed to management. You manage things, you lead people.

The funny thing is, this same mentality rears its ugly head EVERYWHERE. Kids on drugs, doing pornos, running away, violent crimes...are the video games the problem or uninvolved parents? Have you ever lived in a neighborhood where everyone was at least familiar with eachother and the norms for the area? (Who is that guy driving around..., Wasn't little johnny over there a minute ago?, I thought the Smith's were on vacation.) If I did something stupid somewhere my parents knew about it by the time I got home.

Get involved with the people around you, you would be surprised what you will learn about them. It is no surprise it is getting worse, uninvolved parents teach their kids to be uninvolved too. Uninvolved supervisors teach their subordinates to be uninvolved. Its a cascading thing.

FYI, that guy in Office Space was an actor, so really the signs of him losing it were the script telling him to lose it. But Falling Down is another good movie along those lines anyways :)

Re:An ounce of prevention

[Shaper_pmp]

And what about cause and effect?

If you've got the kind of work environment that disgruntles and demotivates your employees, it's vastly more likely that one of them will be pissed off enough to steal from the company.

I'd never do something as unprofessional as sabotage, but I've worked for companies before that made me "disgruntled" and "paranoid". Praise invariably passing up the chain and blame dripping downwards will do that to an organisation. Given this it's hardly surprising that demotivated people will "generally show up late" and "generally perform poorly". And if you're trying to do your best but your company culture mandates inefficiency and second-best alternatives, damn straight any professional worth his salt is going to "argue with colleagues" who dictate it should be done the way it's always been done rather than the way it should be done.

But, of course, these warning signs are clearly the telltale signs of impending sabotage which warrants clamping down harder on the unhappy employee... and not... say... signs your management style and company culture is so fucked that you'd better sort it out soon or everyone's going to need watching.

Kind of reminds me about how poor parenting, easy access to weapons and a terrible high-school culture lead to Columbine, but it was the trenchcoats and Metallica t-shirts which bore the brunt of the outrage and paranoia afterwards.

Hmmm.

Re:An ounce of prevention

[khallow]

That is pretty naive.

Maybe you ought to get some experience first. I can't say much about the rest of the paragraph, but it sounds to me like your friends don't tirelessly work to bail you out of problems of your own making (eg, bar fights).

Don't get deluded you can rely on anyone but yourself when times get tough. Pack your own parachute.

Good advice, but we don't only want friends around when times get tough.

For example, jobs. With two similar resumes, who is going to be taken for a position, the guy with tons of buds and a crappy car, or the professionally-dressed guy who has a neat, clean Hummer who will display a professional, corporate image for that company? If its a company who is any way going to be around in five years, it will be the guy with the H2.

My take is that the professional-dressed guy with a crappy car and tons of buds probably will present a better professional, corporate image than the professionally-dressed basket case with the H2 who somehow can't manage to make and keep friends. The term for it is "communication skills".

Re:An ounce of prevention

[benzapp]

One of his main points is that when we find someone 'creepy', it's actually an early warning system that they're likely to be a danger. However due to social conditioning, people usually ignore their gut feelings which is a mistake. He also helped develop the model that the Secret Service uses to decide whether people who have made threats are probably harmless or likely to eventually commit violence.

It's deeper than that. This is fundamentally due to the religion of absolute egalitarianism.

Think about it, "the creepy guy" is likely to not have a strong chance of being violent. I've known many creepy guys in various jobs, and to my knowledge, none of them are criminals let alone violent ones.

Yet, 25% of black males between the ages of 18 and 35 are convicted felons. If you walk down the street and encouter a young black man, there is a strong chance he really IS a criminal. Yet, how many people reading this absolute truth feel the urge to accuse me of racism?

The belief that prejudice is wrong has moved into every facit of life - we are enthralled with devotion to the ideal that people are innocent until proven guilty.

Re:An ounce of prevention

[kabocox]

Don't worry. I guarantee you'll regret being such an jerk to people when you're passing middle age and you've got mountains of "stuff" to your name but not a real friend in the world.

Um, who said that his employees had to be his friends? He could have alot of outside of work friends with the same habits or toys that he has. His employees won't belong to his social set. Friends in his social circle could help in job leads or networking contacts that could help a family member start off making more than his employees ever will. Is this fair? Yeap, it is how humans have always worked. It's the expected norm that friends and family of your peer group help out your peer group while using other peer groups as needed. Don't tell me that you don't keep an ear out for your family or friends and would rather they start off making more money than the same person in India or China. How is one peer group helping its self different from any peer group helping its self. Let's face it. IT folks in general don't have the aptitude to use networking contacts to max out our income with social effort. This is why we get pissed when we see those that do have that ability making more than us or leading us. They aren't better than us. They have and use better social contacts to get where they are.

Re:An ounce of prevention

[xappax]

Yet, 25% of black males between the ages of 18 and 35 are convicted felons....there is a strong chance he really IS a criminal.

I can't back this up with a study (you didn't back your stat up, so it's fair game), but it seems obvious that people who post to Slashdot are several TIMES more likely to be involved in computer crime than the average American (they have a high degree of technical knowledge, and often an outsider social perspective). So I agree. Let's do away with all of this "innocent until proven guilty" shit and start seizing some Slashdotter's computers!

I mean why should we be worried about the fact that we're being prejudiced against a group of people who are mostly innocent? The fact is that they're probabilisticly guilty because of who they are (or what sites they visit), and it's a lot easier to just assume they're guilty than wait for them to actually commit an offense. So maybe some innocent people end up getting treated like criminals because of what messageboards they post to - but come on, the alternative is having to assume everyone is innocent (regardless of whether we like them or not) unless we have actual evidence of wrongdoing!

Re:An ounce of prevention

"Actually when they've investigated, it turns almost every disgruntled shooter DID give signs beforehand."

Compared to? This is called restrospective or hindsight bias.

Unless you have a control group, you don't know; you're basing it on a known outcome and then going back historically. That fails if there is no group to compare to.

"People almost never just 'snap' and become violent - usually there's a predictable series of escalating steps that they go through before that point."

Those predictable steps you conveniently gloss over and easily omit. You have no idea about the internal structures that people build up to cope; subtle things can set someone off, just as in sorrow, or violence. Frankly, you don't have a damn clue.

"There's an excellent book, "The Gift of Fear" by Gavin De Becker, that goes into how to predict who will become violent at work."

Which are full of tests, double-blind studies, and scientific fact...right?

"One of his main points is that when we find omeone 'creepy', it's actually an early warning system that they're likely to be a danger."

Uhh...huh? A person is going to give off signs of violence, when that is likely counterproductive to his well-being. That doesn't even make sense evolutionarily.

People find others creepy because they want them to be, because they just noticed something that's always been there, or because there actually has been a change that may or may not indicate a predisposition to violence.

"However due to social conditioning, people usually ignore their gut feelings which is a mistake."

A bank that is perceived as unstable, whether or not it actually is, becomes unstable. (If the bank is perceived as unstable, people do not feel comfortable with their money in it, so they withdraw funds and stop making deposits, thus hamstringing the bank.)

No, we are conditioned these days to stay out of it. Maybe if we stayed involved in people's lives, stopped suing everyone for helping out, they wouldn't appear creepy because we'd know if there was actually a problem, or we'd address the problem by *gasp* asking how a co-worker is doing and thus put a stop to any downhill behavior that may be going on.

If you treat a person as a creep, they become a creep. Whispers start occuring, they start noticing, people don't want to hang out with you, and the stress level from lack of social interaction may add to whatever small problem you thought may have manifested itself.

"He also helped develop the model that the Secret Service uses to decide whether people who have made threats are probably harmless or likely to eventually commit violence."

The same Secret Service model that goes after people for writing letters to the editor criticizing the President? The same model that goes after males, young, progressive, liberal, racial minority?

What a loud of shit. This is like those studies that claim that "loners" are more susceptible to violence. Our legal system is an antagonistic system based on evidence which means, largely because CSI ain't the real world, witness testimony. The number one thing to fight against lies? Witnesses. The number one thing to fight against you partaking in a crime? Witnesses aka alibi. Loner have these? Nope. See skew.

That sounds like American Mgt

>>who are disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly

WTF!!!

Thats sounds exactly like the CEOs/executives at the last few places I've worked. When in doubt, always blame the little people, same as it ever was.

Re:Access

[mabhatter654]

as opposed to the armies of users that "sabotage" the desktops and network resources on a daily basis?

sure... the IT guys are the problem.

Tamping down management paranoia

[ewg]

I think the point of this study is that management doesn't have to be paranoid about normal IT people abusing the trust the organization has placed in them. The people truly likely to cause harm will broadcast that fact clearly in advance through egregious behavior.

Work with both, then post

[LibertineR]

If you ever worked with Notes, you would thank Microsoft everyday for Exchange.

Re:Work with both, then post

[Grail]

And if you've worked with both, you'll realise how much easier life is with neither.

Thinly veiled ad

[Knytefall]

The last few paragraphs of the article are more-or-less unedited PR hype from a vendor:

"According to security management vendor Calum Macleod of Cyber-Ark..Macleod's solution is password management....'If privileged password management is not on your shopping list in 2007 it may already be too late.'"

This is preceded with a 'people who say you shouldn't buy my product may already be criminals':

"'if anyone of them disputes this, remember that arguing with colleagues was one of the clear signs of an impending attack.'"

I can't believe this ran! This reporter was shockingly lazy.

useless

[oohshiny]

According to the research, 86 percent of those who committed cybercrimes held ...

That's nearly useless information. By analogy, nearly 100% of rapists are male, yet very few males are actually rapists.

what about work treatment?

[bzipitidoo]

What about workers who are routinely abused? Workers who are pushed to make themselves desperate (financially desperate, usually) to keep the job so they can be treated like slaves, and who are then forced to work long hours for no extra pay because they're salaried, constantly threatened with termination, blamed for problems but denied power to deal with them, and so on, did the study account for that? Doesn't look like the study did. Study talks about "work behavior" but not "work treatment", as if companies have no effect on whether a worker would want to sabotage something.

Ignoring signs-- signs such as a person coming in late who had always come in on time in the past-- is a sure invitation to trouble. People who feel they can't communicate one way will communicate another way. Maybe before concluding that someone who is causing "trouble" better be escorted off the premises in handcuffs before they can do real damage, management ought to try a few other things first. Like, listen in such a way that workers feel they can speak openly. And removing the temptation. If a nuclear missile could be launched with the push of one button, it probably would've happened. Good thing the missiles require several keys, codes, and such like.

This study strikes me as narrow.

Smart enough?

[alshithead]

Those who are capable of wrecking systems thoroughly are usually also smart enough not to show signs that they are willing to do so... The ones who grumble and complain need to be shown the door before they wreak havoc or, pacify them. It's the non-complainers you need to make sure are really happy because if they're not...you could be screwed.

indeed... here is yet another anecdote

As a sysadmin/webmaster at a small company I was involved in the infrastructure and in daily stuff that made money, like doing websites for the company's customers.

At one point I was drawn into an "argument" with colleagues over two things:

1) they needed a new box to run the firewall on. Owners wanted to postpone indefinitely. Sysadmin pressed his point. CEO suspected sabotage or other agenda... in spite of having had a prior avoidable firewall failure take down the network. He decided the sysadmin was crying wolf, or worse.

2): graphic designers and marketing people had proposed, priced and designed a website concept without consulting the guy who was going to code it. There were problems in the executability of the design and an underbid situation.

A technical problem that could be solved with a technical approach, if there were trust. Once again, sysadmin/webmaster "argued" for another approach on technical grounds. Answer: defenses, emotionalism, circle the wagons.

Net result of both contentions: emotionalism, accusations; sysadmin forced to resign.

The firewall did have a hardware failure after about six months; the website proposal flopped and the company lost their major client's web work. Satisfaction for the sysadmin? H**l no. There are no winners in something like this. You need to work with people you can trust and who trust you. This untrusted crap is destroying the very idea of "a good job" and consuming businesses and relationships from within.

You have to be able to air the relative merits of various technical approaches in a respectful, professional way so that what's rational and feasible emerges.

If this is "arguing with colleagues", resulting in an immediate security red-flag and dismissal... how can you have peer review or objective discussions? Worse still, it means we've descended into a totalitarian workplace.

Pop psych bull setting up suits for major disaster

[Ungrounded+Lightning]

Let's see... the study shows that people who are fired generally are considered by their employers to have performed poorly...

This is groundbreaking!

And while we're at it: How many employees who do NOT sabotage corporate systems "are disgruntled", "are paranoid", "generally show up late", and/or "argue with colleagues"?

Last time I looked:

  - A large fraction of the best IT people often work late, for any or all of several reasons: They prefer it, they need to work when load is light to minimize impact on business processes, fixing what the users broke during the day skews the time of their peak workload to later than that of the mainstream users, etc.

They often work more than a normal workday - but they'd have to work two shifts every day and only take time out for sleep, in order to come in bright and early to impress the suits who read this "study". But any sane IT professional will take advantage of flex time and come in late instead.

Programmers and other IT professionals coming in late has been a stereotype since computers used vacuum tubes. (I know because I was there and was one of many who created it. B-) )

  - "Argue with colleagues"? Maybe yes-maning works in the executive suite. But when a crew of experts is chasing down a problem there will be a slew of hypotheses tried and discarded, with different workers coming up with different hypotheses and evidence to falsify them. To an outsider this looks like an argument, when it's actually progress. Experts will also often have differing opinions and will discuss them - ditto.

(I recall one company where upper-level executives quietly added themselves to an engineering internal mailing list. There we discussed the latest problems - often heatedly - until they were solved. When one was solved the traffic on THAT problem stopped cold and another would take its place. To the suits it looked like a disaster, when in fact the project was on time, within budget, exceeding targets, and still looked like it would have been a quantum leap when delivered - if the company hadn't suddenly shut it down...)

- "disgruntled"? With the continuing budget shortfalls, IT resource expansion always lagging company growth, lusers opening virus email, ... I have yet to meet a "gruntled" IT professional.

- "paranoid"? (I presume we're talking the folk etymology, not clinical paranoia.) IT, like other forms of engineering, is an exercise in staying at least one step ahead of Murphy's Law. If an IT professional isn't "paranoid" he's not doing his job.

Watch the suits who saw this start canning their best IT people - zero-notice style. (That's where the employee arrives at work to find his cardkey doesn't work his passwords are rescinded, and he is escorted to HR where he is handed two weeks pay in lieu of notice, a box containing anything from his desk that the company didn't think was theirs, and a threatening document in lawyerese, and then kicked out of the building.)

And of course the fired employees will be blamed when the network starts to go to hell when the remaining people can't apply duct tape and chewing gum fast enough or the next rash of malware gets past the firewall.

= = = =

This reminds me of the "profiles" of school-age mass-murderers: They're always described as loners and introverts who don't get along with others in their school. In other words, just like all the nerds who get pounded on by the jocks and snubbed by the cheerleaders and queen-bees and react by withdrawing from contact with the "beautiful people" cliques. And every time one of these "studies" come out the administrators (generally former "beautiful people" themselves) dump on the nerds and side with the jocks that much more...

Yeah, I'd buy something from this guy....NOT

[JakiChan]

So as far as doing the right thing, I'd suggest that you start from the basis that your IT staff are the biggest risk to your organization's security, and if anyone of them disputes this, remember that arguing with colleagues was one of the clear signs of an impending attack. Gotta love the logic here. Even if I *was* shopping for password management tools I wouldn't buy one from that guy just based on that statement.

Prevention not the issue - green-eyeshade mgmt is

This 'virtuous cycle' is a good reason to stay out of corporate IT at American companies.

If you're with a rare IT group that has good relations with the business unit, and can collaboratively prioritize projects so you're not reacting all the time, stick with them, and let them know why. Otherwise, find a company who directly sells your software product, or services around that. Firms that only indirectly depend on you will screw you every time.

Corporate IT is just a cost center, at most companies, and the CIO will never get adequate resources if they report through Finance. This problem is especially bad in health care and insurance firms.

Consider corporate management, who generally didn't have either the inclination or the intellectual capacity to get a REAL technology degree, and don't get ongoing technology training. They secretly resent that they are dependent on "technology folks" - who they don't understand - for the companies operations (and survival, when things go wrong).

And now, imagine you're a company like TJX (parent company of TJ Maxx and Marshall's), who have inappropriately retained credit card numbers, then had a security breach. They have NO IDEA how many people's numbers were lost.

It's natural to look to IT as a scapegoat, when it's their own boneheaded prioritization that put information security last.

It doesn't work that way

[Moraelin]

Does your company give out a "sociopathic manager of the year" award, too?

Don't worry. I guarantee you'll regret being such an jerk to people when you're passing middle age and you've got mountains of "stuff" to your name but not a real friend in the world.

_If_ he's a sociopath (you can't diagnose that from just one message), it just doesn't work that way. You're making the usual mistake of assuming that all humans are essentially, well, equally human and you only need appeal to someone's humanity/feelings/moral-sense/flash-of-enlightenme nt to thaw even the coldest heart. We like to think that assholes are just the result of some trauma making them retreat behind a facade of callousness, and it only takes some emotional argument to get them out of that shell. Which makes great for great novels movies, but isn't what psychiatry tells us.

Sociopathy is, simply put, completely lacking the empathy and connection to other humans. It's being the only human in a single-player world full of generic NPCs. They're not your peers, they don't matter, their feelings don't matter, they're there just to be used, abused, manipulated, lied to, whatever gets you closer to your objectives.

Think of your relationship to NPCs in a computer game. Do you really care what that generic NPC in Oblivion or GTA feels or thinks? Do you care if he/she had a bad day, or if his/her kid is sick? Would you feel any sense of accomplishment of having him/her as a friend? Would you feel bad for clicking on a complete lie dialogue choice just to finish a quest? Would you even really think of them as a "he" or a "she", or more along the lines of "it"? I mean, don't be silly, it's just a game and just a scripted NPC. Right?

Well, in a nutshell that's the kind of world that a sociopath lives in. You can't even be seen as a friend by one. You're at most a sucker to be used for a purpose, even if that purpose is a few minutes of entertainment.

So expecting that one would wake up one day and think "man, I wasted my life, I should have made friends" is naive. That's the kind of notion that doesn't even compute in their world. Or not for the same meaning of "friend" that you'd use.

This is really stupid!!

[snero3]

I know that a lot of you out there will be thinking, "hell ya, it is managements fault we are treating like this so lets get back at them but destroying their systems."

Believe me guys that is not the case, the only people you hurt are your co-workers. I joined a company where a lot of the Admin stuff were fired. Some of them left nice little surprises that went off a couple of days later. Guess who was there until 3am in the morning putting everything back together? I can tell you it wasn't the managers. I can also tell you that those guys that got fired lost many good friends the day they did that and a lot of hard earned respect. Most of them are still looking for jobs a year later as NO ONE from their previous job (which many had held for 6+ years) will give them a good reference anymore because of their actions.

So my point is that if you are pissed off at management then complain or leave. Don't destroy things as it only hurts your co-workers not management.